In a previous life, I was a computer security specialist.Â I had a really cool job, and worked with really, really damn cool people (hi Gerald, Doug, Jon, et al).Â I read (a tiny fraction of) all the cool security news.Â I kept up to date on as many security topics as I could.Â I read security books.Â I studied a lot of security web sites.Â I took training from SANS.Â I subscribed to a few security mailing lists, although much of the detail in many vulnerability announcements messages was above my understanding.

But in all that reading, research, study, training, and other learning, one of the coolest things I ever consumed was the OSSTMM project. Rather than try to explain this project, I’ll just snag the introductory text from the project home site:

The Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed methodology for performing security tests and metrics. The OSSTMM test cases are divided into five channels (sections) which collectively test: information and data controls, personnel security awareness levels, fraud and social engineering control levels, computer and telecommunications networks, wireless devices, mobile devices, physical security access controls, security processes, and physical locations such as buildings, perimeters, and military bases.

The OSSTMM focuses on the technical details of exactly which items need to be tested, what to do before, during, and after a security test, and how to measure the results. New tests for international best practices, laws, regulations, and ethical concerns are regularly added and updated.

The version I read when I first found this was 2.2.Â It has been years since I used it, and I periodically check in for updates on the version 3.0 release.Â I haven’t seen an update on the web site, and I’m not a team member/subscriber to the service, so I didn’t expect I would know unless I checked in on my own.Â Well tonight, while catching up on email, I get this message from the project: